Thursday, April 26, 2012 6:39 PM
1.How do i ensure that my DHCP server only issue IPs to machines that are in the domain? (that is a user cant just come and plug in a cable and receive an IP, you can also recommend a better solution to control this if any?)
2.What are some things that i should put in place to ensure security around windows servers against any internal intruder?
3. if am having my server firewall off does it mean am open to any attacks internally? (is firewall a must for security?)
Friday, April 27, 2012 5:28 AM
Regarding #1, you can use MAC address-based filtering. It is a built-in feature to 2008 R2 and available as a download for previous versions of Windows Server. See the Windows DHCP Team blog article which covers the feature in detail: http://blogs.technet.com/b/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx
Regarding #2, this is a pretty broad question. I generally prefer to answer broadly to such questions! I recommend looking at some of the core security concepts: a server patch process, role-based access control, encryption, physical security, intrusion prevention, and logging/monitoring/auditing. For internal intruders, privilege escalation is a big concern. Physical security is also critical.
Regarding #3, a firewall will allow or deny network communication based on the rules and policies you configure. But it provides only one layer of a multi-layered security strategy. For example, let's assume you have a web server that listens on port 80. You configure your firewall to only allow port 80 inbound (and some limited set of ports outbound [typical config]). An attacker can compromise the server on port 80 based on an unpatched server, an known or unknown exploit that targets the web server or application, or via social engineering (gaining valid credentials). The firewall helps in such cases, but not much. If the attacker compromises the server and can execute code, he can go back out on port 80 (or test available outbound ports until he finds one) and then send back whatever data he's looking for (that is available on the web server such as the SAM database or corporate intellectual property). So even with a firewall, you are still open to attacks both internally and externally. The only way to close your serveers off to attacks is by taking them off of networks (including the internet)! But in general terms, always think about a multi-layered security strategy.